[Firehol-support] Firehol centralised on router with Wifi AP
kjetil at kjernsmo.net
Sun Sep 11 22:47:36 BST 2016
I've been using FireHOL on my router and firewall box for a while now for
my home network, and it was great finding something making it that easy to
set up. I'm still on 1.297 though, as it is a Debian Stable box.
Now to my next problem: My router has a 5 ethernet interfaces, and where
eth2 connects to a Wifi accesspoint, namely a Ubiquity UniFi AP. However, I
would like to have all firewall rules on the router box, and additionally,
I'd like to divide the connecting devices into authorized and unauthorized
classes, where the authorized devices has the pretty much full access to
the LAN, at eth1. Those two requirements creates some problems, that I
hope someone can help me resolve :-)
My initial idea was just to keep the AP open for all, and just use OpenVPN
for all devices. Enabling OpenVPN on my mobile phone required setting a
PIN though. I did that, but the rest of the family most certainly can't be
bothered. Also, my security requirements aren't high, there are no huge
business secrets here, we live rurally (I don't expect Google to drive by
any time soon :-) ) and the signal is barely detectable outside the walls.
This calls for fewer hoops. :-)
Now, I've configured the AP to have a public clear-text essid and an
encrypted private one.
Then, my next idea was to use Dnsmasq where I gave each known device an IP
based on their MAC, and the idea was that unknown devices would be
dynamically assigned outside of this range. Then, I could use those ranges
in the firewall config. Apparently, Dnsmasq don't work that way, it cannot
guarantee that dynamically assigned IPs are outside of the static range
for a given interface.
Now, rather come up with more silly ideas, I suppose it is time to ask for
help... :-) Is it possible to allow both unknown and known users at the AP
without firewalling them there and at the firewall allow known users to
access the LAN? Without making the known users jump through too many
I just has another idea that I don't know whether can work: Could I have
the AP mark packages from the known devices and then use that mark in the
firewall? That would certainly not be the perfect solution, but possibly
Or something else entirely?
More information about the Firehol-support